With the changing demand for their services many companies quickly adapted to working from home and then back into the office as the restrictions eased. Consequently, many travel and leisure companies have adapted to the pandemic through allowing a significant number of their staff to work from home ether permanently or as part of an agile approach for their workforce.
Travel companies have also taken advantage of technology that allows them to serve customers through digital channels, which has led to a rapid surge in digital capabilities, services, and products for customers of those sectors.
However, this digital response to the pandemic crisis has led to new cybersecurity risks and vulnerabilities. And one of these key threats is created by the employees themselves.
They generally come in two forms.
Whichever one they are they contribute to a significant number of data beaches every year.
A 2017 report from Clearswift reported that
“Organizations report that 42% of IT security incidents occur as a result of their employees’ behaviour."
In many cases breaches from former employees stem from an organisational failure to identify a change in employee status at the point the employee leaves the company – a classic disconnect between HR and the IT companies that are responsible for data security.
Some companies are more vulnerable to this than others – it often occurs where there are high turnovers of staff or where the HR function is outsourced. But IT and HR policies and procedures are key to help companies combat the threat and make it more difficult for Insiders to operate.
In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity almost two months later and sealed the insider-caused security breach at the end of February 2020. It transpired that the cyber-attack had compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. This was an entirely avoidable scenario and with the use of third-party vendor monitoring and user and entity behaviour analytics, Marriott could have detected the breach before hackers accessed clients’ data
The company ended up paying an £18.4M fine to the Information Commissioner’s Office as the company had failed to comply with General Data Protection Regulation (GDPR) requirements.
Threats like these are amongst the most difficult to guard against however there are some key considerations for companies.
Consider joining our growing community as a free core member.
Community members receive regular updates which include the latest guidance, news, and security updates. Our free membership has been tailored for small and medium sized businesses and charities who are based across the seven counties in the East of England.
The ECRC is a policing-led, not for profit, membership organisation, with the aim to increase the cyber resilience within small and medium businesses within the East of England (Hertfordshire, Bedfordshire, Cambridgeshire, Norfolk, Suffolk, Essex, and Kent).
Policing led - business focussed.
Click to Open Code Editor